EFFICIENT ROOT FINDING OF POLYNOMIALS OVER FIELDS OF CHARACTERISTIC 2

Transcription

1 EFFICIENT ROOT FINDING OF POLYNOMIALS OVER FIELDS OF CHARACTERISTIC 2 Vincent Herbert (Joint work with Bhaskar Biswas) WEWoRC 2009 INRIA Paris Rocquencourt V. Herbert (WEWoRC 2009) SECRET Project Team # 1

2 Agenda 1 Motivation for code-based cryptography 2 Algorithms & Complexities 3 Speed Up McEliece Decryption 4 Results & Analysis V. Herbert (WEWoRC 2009) SECRET Project Team # 2

3 Motivation for code-based cryptography Why do we study Polynomial Root Finding? We face this problem in code-based cryptography. Indeed, McEliece-type cryptosystems are often based on Binary Goppa codes. Root finding is the most time-consuming step, in the implementation of algebraic decoding of Binary Goppa codes. R.J. McEliece. A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report, pages , V. Herbert (WEWoRC 2009) SECRET Project Team # 3

4 Motivation for code-based cryptography What is McEliece Public Key Cryptosystem? Let us have an insight of the original version of McEliece. Public key : A binary linear [n,k] code C, i.e. a k-dimensional linear F 2 -subspace of F n 2, described by a generator matrix G. Private key : An efficient decoding algorithm for C up to the error correcting capacity t. Encryption : Map the k bits plaintext x to the codeword x.g, add e, an uniformly random error of length n and weight t. Decryption : Correct the t errors, unmap to get the message. This process is also called decoding. V. Herbert (WEWoRC 2009) SECRET Project Team # 4

5 Motivation for code-based cryptography What is a Binary Goppa Code? Let m > 0, n 2 m and a = (a 1,..., a n ) F n 2. The n-length binary Goppa code Γ(L, g) is defined by : Support L = (α 1,..., α n ) n-tuple of distinct elements of F 2 m ; Goppa polynomial g(z) F 2 m[z], square-free, monic of degree t > 0 with no root in L. Γ(L, g) is a subfield subcode over F 2 of a particular Goppa code over the binary field F 2 m. We have a Γ(L, g) if and only if : R a (z) := n i=1 a i z α i = 0 over F 2 m[z]/(g(z)). V. Herbert (WEWoRC 2009) SECRET Project Team # 5

6 Algorithms & Complexities How to decode Binary Goppa Codes? Let e, x, y be n-length binary vectors. We have to find x, the sent codeword knowing y = x + e where y is the received word and e the error word. We can correct up to t errors. Algebraic decoding is carried out in three steps : 1 Syndrome computation R y (z) = R e (z) = n i=1 e i z α i over F 2 m[z]/(g(z)). 2 Solving the Key Equation to obtain the error locator polynomial R e (z) σ e (z) = σ e(z) over F 2 m[z]/(g(z)). 3 Error Locator Polynomial Root Finding n σ e (z) := (z α i ) e i ; σ e (α i ) = 0 e i 0. i=1 V. Herbert (WEWoRC 2009) SECRET Project Team # 6

7 Algorithms & Complexities How to find the roots efficiently? Several approaches are possible, their efficiency depends on the size of parameters m and t. Chien search computes roots by evaluating artfully the polynomial in all points of L. This method is recommended for hardware implementations and coding theory applications in which m is small. BTA is a recursive algorithm using trace function properties. It is a faster method for secure parameters in McEliece-type cryptosystems. V. Herbert (WEWoRC 2009) SECRET Project Team # 7

8 Algorithms & Complexities What is the cost of the decryption? Let us recall, in practice, n = 2 m and mt n. Theoretical Complexity = number of binary operations required to decrypt in the worst case. Syndrome computation O(mnt) Key Equation Solving (w/ Patterson algorithm) O(mt 2 ) Error Locator Polynomial Root Finding Chien search O(mnt) Berlekamp Trace Algorithm (abbr. BTA) O(m 2 t 2 ) Experimental Complexity = average running time for the decryption. For recommended parameters (i.e. m = 11, t = 32), root finding with BTA (resp. Chien search) takes 72% (resp. 86%) of the total decryption time. V. Herbert (WEWoRC 2009) SECRET Project Team # 8

9 Algorithms & Complexities How does BTA work? Trace function Tr( ) : F 2 m F 2 Tr(z) := z + z 2 + z z 2m 1. The function Tr( ) is F 2 -linear and onto. We know that : i F 2, Tr(z) i = (z γ). γ s.t. Tr(γ)=i Moreover, we have : z 2m z = Tr(z) (Tr(z) 1). V. Herbert (WEWoRC 2009) SECRET Project Team # 9

10 Algorithms & Complexities How does BTA work? (contd) Let B = (β 1,..., β m ) a basis of F 2 m over F 2. Every α F 2 m is uniquely represented by the m-tuple : (Tr(β 1 α),..., Tr(β m α)). BTA splits any f F 2 m[z] s.t. f (z) (z 2m z) into linear factors by computing iteratively on β B and recursively on f : g(z) := gcd(f (z), Tr(β z)) and h(z) := f (z) g(z). BTA always successfully returns the linear factors of f. First call : f = σ e and β = β 1. V. Herbert (WEWoRC 2009) SECRET Project Team # 10

11 Speed Up McEliece Decryption How to reduce time complexity? The drawback of BTA is the large number of recursive calls when the system parameters grow. We reduce it by mixing BTA and Zinoviev s algorithms which are ad-hoc methods for finding roots of polynomials of degree 10 over F 2 m. We call this process BTZ in the following. BTZ depends on a parameter d max which is the maximum degree up to which we use Zinoviev s methods. V.A. Zinoviev, On the solution of equations of degree 10 over finite fields GF(2 m ), Research Report INRIA n 2829, 1996 V. Herbert (WEWoRC 2009) SECRET Project Team # 11

12 Speed Up McEliece Decryption Pseudocode of a simplified version of BTZ Algorithm 1 - BTZ(f, d, i) First call : f σ e ; d d max {2,..., 10} ; i 1. if degree(f ) d then return ZINOVIEV(f, d); else g gcd(f, Tr(β i z)); h f /g; return BTZ(g, d, i + 1) BTZ(h, d, i + 1) ; end if V. Herbert (WEWoRC 2009) SECRET Project Team # 12

13 Speed Up McEliece Decryption What are Zinoviev s algorithms? Zinoviev s methods find an affine multiple of any polynomial of degree 10 over F 2 m. The methods differ according to this degree. Affine Polynomial A(z) = L(z) + c where L is a linearized polynomial, c F q m. Linearized Polynomial L(z) = n l i z qi with q a prime power, l i F q m and l n = 1. In our case, q = 2. After that, finding roots of affine polynomial is easier than in the general case. i=0 V. Herbert (WEWoRC 2009) SECRET Project Team # 13

14 Speed Up McEliece Decryption Get an affine multiple of a polynomial of degree 2 or 3 Let us have an equation : z 2 + αz + β = 0, α, β F 2 m. Notice z 2 + αz is already a linearized polynomial. Nothing to do here. Now consider the equation : z 3 + az 2 + bz + c = 0, We have to decimate the non-linear terms. a, b, c F 2 m For this, we add one particular root by multiplying the left side by (z + a). We obtain z 4 + dz 2 + ez + f = 0 with d = a 2 + b, e = ab + c, f = ac. We get what we want, an affine multiple of a polynomial of degree 3. V. Herbert (WEWoRC 2009) SECRET Project Team # 14

15 Results & Analysis What results do we obtain? We specify a recurrence complexity formula for BTZ. We then use dynamic programming to estimate its theoretical complexity in the worst case. We thus determine the best d max to use to have the optimal efficiency on the following range of parameters : m = 8, 11, 12, 13, 14, 15, 16, 20, 30, 40 ; t = ; d max = Let K be the cost function of any operation over F 2 m. We take K(+) = 1 ; K( ) = 1 or K( ) = m. V. Herbert (WEWoRC 2009) SECRET Project Team # 15

16 Results & Analysis Conclusions & Perspectives For m = 11, t = 32, theory recommends d max = 5. Theoretical gain, in terms of number of operations over F 2 m, of BTZ with d max = 5 over BTA is 46%, the one over Chien method is 93%. The higher is t, the higher is the optimal d max, according to the theory. Practice confirms theory up to degree 3 at least. For instance with m = 11, t = 32 and d max = 2, BTZ takes 65% of the total time decryption against 72% for BTA and 86% for Chien. Implementation is in progress for greater parameters d max. V. Herbert (WEWoRC 2009) SECRET Project Team # 16

17 Danke schön WEWoRC 2009! Any questions or comments? Any further remarks or suggestions can be adressed at : Vincent.Herbert@inria.fr Slides will be available in a short time on : V. Herbert (WEWoRC 2009) SECRET Project Team # 17

18 Bonus Slides Why is it easier to find roots of an affine polynomial? Let us have an affine polynomial A(z) = L(z) + c = m 1 i=0 l i z 2i + c. Consider (α 1,, α m ) is a F 2 -basis of F 2 m, (l i ) 1 i m, c and x are elements of F 2 m. Guess x is a root of A. A(x) = 0 L(x) = c m m x i L(α i ) = c i α i (using linearity of L) i=1 m i=1 m x i l i,j α i = i=1 j=1 i=1 m c i α i (linear system in x i ) V. Herbert (WEWoRC 2009) SECRET Project Team # 18

19 Bonus Slides How does Chien search operate? Chien search is a recursive algorithm. We can say it s a clever exhaustive search. Let α be a generator of F 2 m and let f (x) = a 0 + a 1 x + + a t x t be a polynomial over F 2 m. f (α i ) = a 0 + a 1 α i + + a t (α i ) t f (α i+1 ) = a 0 + a 1 α i a t (α i+1 ) t = a 0 + a 1 α i α + + a t (α i ) t α t Set a i,j = a j (α i ) j. It is easy to obtain f (α i+1 ) from f (α i ) since we have that a i+1,j = a i,j α j. Moreover, if t j=0 a i,j = 0, then α i is a root of f. V. Herbert (WEWoRC 2009) SECRET Project Team # 19

20 Bonus Slides Let m > 0 and n 2 m. Second description of a Binary Goppa Code The n-length binary Goppa code Γ(L, g) is defined by : Support L = (α 1,..., α n ) n-tuple of distinct elements of F 2 m ; Goppa polynomial g(z) F 2 m[z], square-free, monic of degree t > 0 with no roots in L ; Γ(L, g) is a subfield subcode over F 2 of a particular Goppa code over binary field F 2 m which have parity-check matrix H. H := 1 g(α 1 ) 1 g(α 2 ). 1 g(α n) α 1 g(α 1 ) α 2 g(α 2 ). α n g(α n) α t 1 1 g(α 1 ) α t 1 2 g(α 2 ). α t 1 n g(α n) M n,t (F 2 m). Thus, we have a Γ(L, g) if and only if a.h = 0 and a F n 2. V. Herbert (WEWoRC 2009) SECRET Project Team # 20